The legacy DNS is highly vulnerable to network failures, compromise by
malicious agents, and denial of service attacks, because domains are
typically served by a very small number of nameservers. We first
examine the delegation bottlenecks in DNS; a delegation
bottleneck is the minimum number of nameservers in the delegation
chain of each domain that need to be compromised in order to control
that domain. Table 1 shows the percentage of
domains that are bottlenecked on different numbers of nameservers.
78.63% of domains are restricted by two nameservers, the minimum
recommended by the standard [25].
Surprisingly, 0.82% of domains are served by only one nameserver.
Even the highly popular domains are not exempt from severe bottlenecks
in their delegation chains. Some domains (0.43%) spoof the
minimum requirement by having two nameservers map to the same IP
address. Overall, over 90% of domain names are served by three or
fewer nameservers and can be disabled by relatively small-scale
DoS attacks.

Table:Delegation Bottlenecks in Name Resolution: A
significant number of names are served by two or fewer nameservers,
even for the most popular 500 sites.

Bottlenecks

All Domains

Top 500

1

0.82 %

0.80 %

2

78.44 %

62.80 %

3

9.96 %

13.20 %

4

4.64 %

13.00 %

5

1.43 %

6.40 %

13

4.12 %

0 %

Failure and attack resilience of the legacy DNS is even more limited
at the network level. We examined physical bottlenecks,
that is, the minimum number of network gateways or routers between
clients and nameservers that need to be compromised in order to
control that domain. We measured the physical bottlenecks by
performing traceroutes to 10,000 different nameservers, which
serve about 5,000 randomly chosen domain names, from fifty globally
distributed sites on PlanetLab [2].
Figure 2 plots the percentage of domains that
have different numbers of bottlenecks at the network level, and shows
that about 33% of domains are bottlenecked at a single gateway or
router. While this number is not surprising - domains are typically
served by a few nameservers, all located in the same sub-network - it
highlights that a large number of domains are vulnerable to network
outages. These problems are significant and affect many top level
domains and popular web sites. Recently, Microsoft suffered a DoS
attack on its nameservers that rendered its services unavailable. The
primary reason for the success of this attack was that all of
Microsoft's DNS servers were in the same part of the
network [38]. Overall, a large portion of the namespace can be
compromised by infiltrating a small number of gateways or routers.

Figure:Physical Bottlenecks in Name Resolution: A significant number of domains, including top-level domains, depend on a small number of gateways for their resolution.